Organisations

Collection, Use & Disclosure

Under the PDPA, an organisation may collect, use or disclose personal data only for reasonably appropriate purposes under the circumstances. Organisations should notify individuals of the purposes for the collection, use and disclosure of personal data, and seek individuals' consent for the collection, use and disclosure of the personal data unless an exception under the PDPA applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively.

In this regard, organisations shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal data beyond what is reasonable to provide the product or service. If the organisation wishes to collect any additional personal data, the organisation may provide the individual the option of whether to consent to this.

For example, an organisation selling a consumer product to individuals should not require them to reveal their annual household income as a condition of selling the product, although it may ask them to provide such personal data as an optional field.

Generally, organisations may continue to use the personal data collected prior to the effective date of the data protection rules, unless the individual withdraws consent (if consent had previously been given) or indicates that he does not consent to such use of the personal data.

Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.

For example, if a company has been using its customer's personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose. If the organisation wishes to use the personal data for telemarketing, it will separately have to ensure compliance with the DNC provisions under the PDPA.

Consent can be obtained in a number of different ways. As a best practice, an organisation should obtain consent that is in writing or recorded in a manner that is accessible for future reference, for example, if the organisation is required to prove that it had obtained consent.

An organisation may also obtain consent verbally although it may correspondingly be more difficult for an organisation to prove that it had obtained consent. For such situations, it would be prudent for the organisation to document the consent in some way.

As a good practice, organisations should generally seek individuals' consent for marketing via a distinct opt-in selection when signing up for a product or service.

An organisation will not be considered to be requiring consent to market its products or services as a condition of providing a product or service, if it allows the individual to withdraw such consent and doing so will not result in ceasing of the provision of the product or service to the individual.

The organisation should clearly state how the individual may withdraw consent from marketing subsequently (e.g. by providing a link or an email address for the individual to opt out).

Organisations should also note that this approach to obtaining consent for sending marketing messages does not apply to sending of marketing messages via voice, text and fax where clear and unambiguous consent is required under the DNC Provisions of the PDPA.

Deeming that an individual has given his consent through inaction on his/her part will not be regarded as consent in all situations. Whether or not a failure to opt out can be regarded as consent will depend on the actual circumstances and facts of the case. Organisations are advised to obtain consent from an individual through a positive action of the individual to consent to the collection, use and disclosure of his personal data for the stated purposes.

Is the collection, use or disclosure of the personal data required or authorised under the PDPA or other laws for that purpose? If so, the organisation does not need to seek consent. Otherwise, the organisation should consider whether the individual has previously withdrawn or indicated that he does not consent to that new purpose.

If the individual has previously withdrawn or indicated that he does not consent to that new purpose, the organisation should not contact him to seek consent for that new purpose. However, the organisation may seek fresh consent during any new transaction with the individual. For example, a service provider may seek the consent of subscribers who previously indicated they did not consent to the use of their personal data for other purposes, at the point of renewal of their service subscription.

Where the individual has not previously withdrawn or indicated that he does not consent to that purpose, the organisation may contact the individual to seek consent for the new purpose. However, if the new purpose involves marketing, the organisation must also comply with the Do Not Call (DNC) provisions when contacting the individual via voice, text or fax messages.

An organisation may use personal data collected before 2 July 2014 for the purposes for which the personal data was collected, unless consent for such use is withdrawn or the individual has indicated to the organisation that he does not consent to the use of the personal data.

If an organisation intends to disclose the personal data on or after the appointed day (other than disclosure that is necessarily part of the organisation's use of the personal data), the organisation must comply with the data protection provisions in relation to such disclosure. As the sale of databases containing personal data involves a disclosure of personal data, organisations must obtain valid consent from the relevant individuals before doing so.

The PDPA provides for certain exceptions to the requirement to obtain consent. One of these exceptions allows organisations to collect, use or disclose personal data without consent for the purpose of “business asset transactions”, subject to certain conditions. “Business asset transaction” is defined in the PDPA and can apply to mergers and acquisitions.

For example, Organisation A is a prospective buyer of Organisation B. Organisation A can collect personal data without consent (and Organisation B can disclose without consent) about B’s employees, customers, directors or shareholders if it relates directly to the business with which the acquisition is concerned. The personal data must be necessary for Organisation A to determine whether to proceed with the acquisition, and organisations A and B must have entered into an agreement that requires A to use or disclose the personal data solely for purposes related to the acquisition.

For full details, please refer to the Second Schedule, paragraph 1(p) and 3 and Fourth Schedule, paragraph 1(p) and 3 of the PDPA.

Organisations may collect, use and disclose personal data without consent where this is necessary for evaluative purposes. The term “evaluative purpose” is defined in section 2(1) of the PDPA and includes, amongst other things, the purpose of determining the suitability, eligibility or qualifications of an individual for employment, promotion in employment or continuance in employment.

Hence, the evaluative purpose exception allows employers to collect, use and disclose personal data without the consent of the individual concerned for various purposes that are common in the employment context, for example:

a) Obtaining a reference from a prospective employee’s former employer where necessary to determine his suitability for employment; orb) Obtaining opinions about the employee where necessary to determine his eligibility for promotion.

In practice, an organisation that has been requested to disclose information about its past employee may not be able to evaluate whether it is necessary for evaluative purposes, and may therefore wish to obtain the consent of the individual.

Organisations are required to comply with the Data Protection Provisions, including the Consent Obligation and Transfer Limitation Obligation, under the PDPA for any disclosure and overseas transfer of personal data, unless an exception applies.

Depending on the specific facts of the case, an exception to the Consent Obligation may apply such that an organisation may disclose the personal data to an overseas authority without consent from the individual. The circumstances for disclosure without consent are provided in the Fourth Schedule of the PDPA. The Transfer Limitation Obligation may also be taken to be satisfied where certain exceptions in the Fourth Schedule applies (more details are set out in Regulation 9(3)(e) of the Personal Data Protection Regulations 2014).

However, no specific exception under the PDPA routinely covers all requests from overseas authorities.

If an organisation requires further guidance from the PDPC on this matter, please write in to us at info@pdpc.gov.sg.

Organisations must notify individuals of the purposes for which their personal data (including CCTV footage of them) is collected, used or disclosed and obtain their consent, unless any exception applies. For example, notification and consent is not required if the personal data is publicly available.

The PDPA does not prescribe the content of notifications. Generally, organisations should indicate that CCTVs are operating in the premises, and the purpose of the CCTVs if such purpose may not be obvious to the individual.